Computer virus hits US Predator and Reaper drone fleet

A computer virus has infected the cockpits of America's Predator and Reaper …

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other war zones.

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the US military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.

Drones have become America’s tool of choice in both its conventional and shadow wars, allowing US forces to attack targets and spy on its foes without risking American lives. Since President Obama assumed office, a fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times; all told, these drones have killed more than 2,000 suspected militants and civilians, according to the Washington Post. More than 150 additional Predator and Reaper drones, under US Air Force control, watch over the fighting in Afghanistan and Iraq. American military drones struck 92 times in Libya between mid-April and late August. And late last month, an American drone killed top terrorist Anwar al-Awlaki — part of an escalating unmanned air assault in the Horn of Africa and southern Arabian peninsula.

The lion’s share of US drone missions are flown by Air Force pilots stationed at Creech, a tiny outpost in the barren Nevada desert, 20 miles north of a state prison and adjacent to a one-story casino. In a nondescript building, down a largely unmarked hallway, are a series of rooms, each with a rack of servers and a “ground control station,” or GCS. There, a drone pilot and a sensor operator sit in their flight suits in front of a series of screens. In the pilot’s hand is the joystick, guiding the drone as it soars above Afghanistan, Iraq, or some other battlefield.

Some of the GCSs are classified secret and used for conventional warzone surveillance duty. The GCSs handling more exotic operations are top secret. None of the remote cockpits are supposed to be connected to the public internet, which means they are supposed to be largely immune to viruses and other network security threats.

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”

However, insiders say that senior officers at Creech are being briefed daily on the virus.

Where's CYBERCOM when you need them? At the very least if the systems themselves are airgapped there shouldn't be any data getting out. Last I checked spyware didn't rely on sneakernet to exfiltrate data.

The fact that they *aren't even sure what the virus is* ought to be plenty scary. How do they know it's not China's own Stuxnet, for example? "We think it's benign?" How benign will it seem if someone begins remotely piloting the remotes? Far fetched perhaps, but so was Stuxnet.

This kind of thing makes me feel like we're already living in some weird combination of the Matrix and one of William Gibson's early novels. Most of us are just blissfully unaware of it.

I have a friend who's spent several years designing security systems for the Army, and he's been trying to prevent this for years. "If you ever think about hooking this weapon system up to the internet, I will shut your whole operation down."

I can only speculate, but it sounds like some kid's been goofing off with USB drives or laptops and screwed everything up...

So wait, there is a virus, infecting a critical piece of our military infrastructure - we know that the virus is there, we don't know where it comes from or what it's doing - we aren't able to remove it, and we keep using systems infected by this virus?

Not knowing the virus is there at all would be one thing, incompetent, but understandable, but this takes incompetence to a whole new level.

In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says.

technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

So the US military has never heard of system images or snapshots? There is all sorts of things you can do to avoid having to load an OS from scratch.

technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.

So the US military has never heard of system images or snapshots? There is all sorts of things you can do to avoid having to load an OS from scratch.

If they don't know how it keeps coming back, then there is no way to know which image is clean. They could trial-and-error the images, but that's as much effort as wipe and rebuild.

So wait, there is a virus, infecting a critical piece of our military infrastructure - we know that the virus is there, we don't know where it comes from or what it's doing - we aren't able to remove it, and we keep using systems infected by this virus?

Not knowing the virus is there at all would be one thing, incompetent, but understandable, but this takes incompetence to a whole new level.

Never worked for any federal or military place but yeah, it kinda shocks me how badly it's being handled... a half-decent SMB has processes in place to handle outbrakes like this.

Its a keylogger, so its not dangerous. But, it does show that someone was capable of loading a virus onto closed systems. I'm thinking that a worse virus is coming around the corner, and the IT guys at Creech (who aren't actually IT guys) will be powerless to fix things.

The article makes the military sound like a bunch of IT newbies with newly minted MSCE certificates at a startup trying to figure out their first infection, and not really sure what to do.

The US Government claims that it pays a lot of well-trained people to protect military hardware from infiltration. Did somebody forget to call them? Were the experts unable to find Nevada on the map so couldn't get help to them?

The while thing sounds unreal. Continuing to use systems infected with viruses and keyloggers? OK, it's harder to exfiltrate gathered data through USB keys, but come on. If this happened at most serious commercial installations there would be some people looking for new employment.

Glue the USB ports shut, boom, problem solved. Or, start prosecuting people who introduce viruses into military networks for espionage.

The military is already doing this, disabling USB ports on machines.

The problem is: People were using those USB sticks because their networks were too restrictive for them to do their job. Now that USB is out, they have to find another way (burned CDs most likely) and you have the same problem again with malware hitching a ride on whatever media they use. You can't just say: "don't put any media on this machine", because then they can't do their job.

Really, they should have network access (it's far more efficient than burning CDs), but with well thought out protections that prevent malware from being able to exploit it.

The virus is on a system chip more likely if they can not remove it... Finding out where its coming from will be quite a task... some firmware somewhere is most likely the issue - hence "it keeps coming back". There is always some custom hardware that contains firmware... hell it could be their flight controls...

I´m genuinely confused here. They have a virus and Kaspersky doesn´t know what to do... does that mean they´re actually using WINDOWS to run these machines and, thus, these operations?

I strongly assume that´s not the case, but the whole scenario sounds so.. well... windows-ish......

The military runs on Windows. The push for COTS is decades old at this point. Why is this a surprise? Did you expect them to buy Macs instead? Big Unix shops charge and arm and a leg and don't have equipment in the right form factors (ruggedized, low power, handheld, etc...) and have their own issues.